Spyware, Viruses, & Security forum

General discussion

VULNERABILITIES \ FIXES - July 30, 2008

CoolPlayer M3U File Processing Buffer Overflow

Secunia Advisory: SA31294
Release Date: 2008-07-30


Critical:
Highly critical
Impact: System access

Where: From remote

Solution Status: Unpatched


Software: CoolPlayer 2.x

Description:
Guido Landi has discovered a vulnerability in CoolPlayer, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when processing .M3U files. This can be exploited to cause a stack-based buffer overflow when loading an .M3U file containing an overly long string (greater than 260 bytes).

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 219. Other versions may also be affected.

Solution:
Do not load untrusted .M3U files.

Provided and/or discovered by:
Guido Landi

Original Advisory:
http://milw0rm.com/exploits/6157

Discussion is locked
You are posting a reply to: VULNERABILITIES \ FIXES - July 30, 2008
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: VULNERABILITIES \ FIXES - July 30, 2008
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Condor Authorization Policy Wildcard Security Bypass

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

Secunia Advisory: SA31284
Release Date: 2008-07-30


Critical:
Less critical
Impact: Security Bypass

Where: From remote

Solution Status: Vendor Patch


Software: Condor 7.x

Description:
A security issue has been reported in Condor, which can be exploited by malicious users to bypass certain security restrictions.

The security issue is caused due to an error in the processing of wildcard characters included within e.g. a DENY_WRITE entry and can be exploited to bypass restrictions imposed by the authorization policy.

The security issue is reported in versions prior to 7.0.4.

Solution:
Update to version 7.0.4.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.cs.wisc.edu/condor/manual/v7.0/8_3Stable_Release.html#sec:New-7-0-4

Collapse -
Affinium Campaign Multiple Vulnerabilities

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

Secunia Advisory: SA31280
Release Date: 2008-07-30


Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data
Exposure of system information
Exposure of sensitive information
DoS

Where: From remote

Solution Status: Vendor Patch


Software: Affinium Campaign 7.x

Description:
Some vulnerabilities have been reported in Affinium Campaign, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, conduct cross-site scripting and script insertion attacks, or cause a DoS (Denial of Service).

Secunia Advisory: SA31280
Release Date: 2008-07-30


Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data
Exposure of system information
Exposure of sensitive information
DoS

Where: From remote

Solution Status: Vendor Patch


Software: Affinium Campaign 7.x



Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS!



Description:
Some vulnerabilities have been reported in Affinium Campaign, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, conduct cross-site scripting and script insertion attacks, or cause a DoS (Denial of Service).

1) An error within the listener server can be exploited to cause the server to crash via a specially crafted packet.

2) Input passed to the CampaignListener web page (using e.g. an ActiveX control) is not properly sanitised before being stored in the status log. This can be exploited to insert arbitrary HTML and script code, which will be executed in a administrator's browser session in context of an affected site when a malicious status log is viewed.

3) Input passed to the title field and to the "PageName" and "url" parameters in the bookmarks web page is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site e.g. when a bookmark is edited.

4) Input passed to the "displayIcon" parameter in Campaign/updateOfferTemplateSubmit.do is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when viewing a malicious page.

5) An input validation error when processing requests to create a new folder can be exploited to e.g. create folders or files in arbitrary locations via directory traversal sequences.

6) An input validation error in Campaign/CampaignListener can be exploited to e.g. list files in arbitrary locations via a specially crafted request from the application's ActiveX control.

7) Input passed to the "id" parameter in Campaign/campaignDetails.do and Campaign/offerDetails.do, to the "function" parameter in Campaign/Campaign, to the "sessionID" parameter in Campaign/runAllFlowchart.do, to the "actionType" parameter in Campaign/updateOfferTemplatePage.do, to the "Frame" parameter in Campaign/Campaign, and to the "affiniumUserName" parameter in manager/jsp/test.jsp and Campaign/main.do is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in version 7.2.1.0.55. Other versions may also be affected.

Solution:
The vendor has reportedly issued patches.

Provided and/or discovered by:
1, 5) Neil Kettle and Tim Brown, Portcullis Computer-Security Ltd.
2, 3, 4, 6, 7) Tim Brown, Portcullis Computer-Security Ltd.

Original Advisory:
http://www.portcullis.co.uk/286.php
http://www.portcullis.co.uk/287.php
http://www.portcullis.co.uk/288.php
http://www.portcullis.co.uk/289.php
http://www.portcullis.co.uk/290.php
http://www.portcullis.co.uk/291.php
http://www.portcullis.co.uk/292.php

Collapse -
@Mail Two Information Disclosure Security Issues

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

Secunia Advisory: SA31279
Release Date: 2008-07-30


Critical:
Less critical
Impact: Exposure of system information
Exposure of sensitive information

Where: Local system

Solution Status: Unpatched


Software: @Mail 5.x

Description:
injusticeinamerica has discovered two security issues in @Mail, which can be exploited by malicious, local users to disclose sensitive information.

The security issues are caused due to the webmail/libs/Atmail/Config.php and webmail/webadmin/.htpasswd files having world readable permissions. This can be exploited to obtain e.g. the database user and password or the MD5 hash of the Webadmin password.

The security issues are confirmed in version 5.41 on Linux. Other versions may also be affected.

Solution:
Remove word readable permissions from the affected files (e.g. chmod 640).

Provided and/or discovered by:
injusticeinamerica

Collapse -
Unreal Tournament 2004 Denial of Service

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

Secunia Advisory: SA31266
Release Date: 2008-07-30


Critical:
Moderately critical
Impact: DoS

Where: From remote

Solution Status: Unpatched


Software: Unreal Tournament 2004

Description:
Luigi Auriemma has reported a vulnerability in Unreal Tournament 2004, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to a NULL pointer dereference error and can be exploited to cause the server to crash via a sequence of specially crafted packets.

The vulnerability is reported in Unreal Tournament 2004 version v3369.

Solution:
Restrict access to game servers to trusted people only.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/ut2004null-adv.txt

Collapse -
Unreal Tournament 3 Denial of Service and Memory Corruption

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

Secunia Advisory: SA31265
Release Date: 2008-07-30


Critical:
Highly critical
Impact: DoS
System access

Where: From remote

Solution Status: Unpatched


Software: Unreal Tournament 3 1.x

Description:
Luigi Auriemma has reported some vulnerabilities in Unreal Tournament, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

Solution:
Use in trusted network environments only.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/ut3mendo-adv.txt

Collapse -
BookMine Cross-Site Scripting and SQL Injection

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

Secunia Advisory: SA31258
Release Date: 2008-07-30


Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data

Where: From remote

Solution Status: Unpatched


Software: BookMine

Description:
Russ McRee has reported some vulnerabilities in BookMine, which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

Solution:
Filter malicious characters and character sequences using a web proxy.

Provided and/or discovered by:
Russ McRee

Collapse -
ScrewTurn Wiki System Log Script Insertion

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

Secunia Advisory: SA31242
Release Date: 2008-07-30


Critical:
Moderately critical
Impact: Cross Site Scripting

Where: From remote

Solution Status: Vendor Patch


Software: ScrewTurn Wiki 2.x

Description:
Ferruh Mavituna has reported a vulnerability in ScrewTurn Wiki, which can be exploited by malicious people to conduct script insertion attacks.

Input passed via error messages to the "/admin.aspx - System Log" page is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an administrator's browser session in context of an affected site when viewing the system log page.

The vulnerability is reported in version 2.0.29 and 2.0.30. Prior versions may also be affected.

Solution:
Update to version 2.0.31 or later.

Provided and/or discovered by:
Ferruh Mavituna, Portcullis Computer-Security Ltd.

Original Advisory:
Portcullis Computer-Security Ltd:
http://www.portcullis.co.uk/281.php

ScrewTurn Wiki:
http://www.screwturn.eu/Wiki.ashx#History_2

Collapse -
PhpWebGallery E-Mail Address Information Disclosure

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

Secunia Advisory: SA31232
Release Date: 2008-07-30


Critical:
Not critical
Impact: Exposure of sensitive information

Where: From remote

Solution Status: Vendor Patch


Software: PhpWebGallery 1.x

Description:
Pat has reported a vulnerability in PhpWebGallery, which can be exploited by malicious people to disclose sensitive information.

The problem is that users' profile pages show their e-mail addresses, even when the system is running in adviser mode.

The vulnerability is reported in versions 1.7.0 and 1.7.1. Prior versions may also be affected.

Solution:
Update to version 1.7.2.

Provided and/or discovered by:
Pat

Original Advisory:
http://bugs.phpwebgallery.net/view.php?id=769

Collapse -
Oracle warns of WebLogic exploit

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

Oracle has reacted to an acute and critical security problem by issuing a security alert outside of its regular quarterly cycle. In the middle of last week, a hacker using the pseudonym KingCope published an exploit which can cause a buffer overflow in Oracle WebLogic, formerly known as BEA WebLogic. Now the database specialist is telling its customers how to protect themselves against the acute danger it poses.

Versions 6.1 to 10 of the WebLogic plug-in for Apache apparently do not check the length of transferred parameters, which can result in a buffer overflow. This can be exploited over the network without a user account. While Oracle assigns the problem the highest score of 10 in the CVSS security rating scheme, it is silent on KingCope?s claim that the hole allows code to be injected. There is no patch yet but until there is, a workaround has been provided to reduce the risk.

More: http://www.heise-online.co.uk/security/Oracle-warns-of-WebLogic-exploit--/news/111210

Collapse -
Serious 0-Day Flaw in Oracle -- Patch Released

In reply to: Oracle warns of WebLogic exploit

Published: 2008-07-30,
Last Updated: 2008-07-30 13:14:53 UTC
by David Goldsmith (

Oracle has released an emergency security patch that corrects a 0-day flaw which is remotely exploitable without authentication. This is a serious issue.

Oracle's security advisory can be found at the following link. The advisory also contains recommendations for two workarounds that you should implement to help mitigate the potential impact if you are not able to install the security patch right away:

https://support.bea.com/application_content/product_portlets/securityadvisories/2793.html

More information about the issue can be found at:

http://blogs.zdnet.com/security/?p=1581

http://isc.sans.org/

Collapse -
Trend Micro?s OfficeScan vulnerable

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

Attackers can use a vulnerability in Trend Micro?s OfficeScan to penetrate a PC via the internet, according to a Full Disclosure mailing list report by security specialist Elazar Broad. The cause of the problem is a buffer overflow in an ActiveX control for web deployment, which occurs when manipulated configuration parameters are displayed. According to the report, that makes it possible to inject and execute code in a system. The victim has to visit a manipulated website for the attack to be successful. Also, the OfficeScan client has to be installed on the network.

The affected version is 7.3 build 1343(patch 4); previous versions may also contain the vulnerability. There is still no official update. A workaround is to set a kill-bit for the vulnerable control (CLSID 5EFE8CB1-D095-11D1-88FC-0080C859833B) to prevent Internet Explorer from loading it. It is unknown whether the current version 8 contains the bug.

http://www.heise-online.co.uk/security/Trend-Micro-s-OfficeScan-vulnerable--/news/111211

Collapse -
Security update for VMware?s ESX Server

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

VMware has issued an update to its ESX server version 3.5.x to close security holes in Samba, VMkernel, Service Console, and hostd. The Samba hole has been public for three months and allows attackers to take control of the server.

The other holes have been known since last year ? some even since 2006. Why VMware has taken so long to issue the update is a mystery. ESX versions 3.0.2, 3.0.1, 2.5.5 and 2.5.4 are also affected by the security hole in Samba. But there is still no patch avalable for these.

http://www.heise-online.co.uk/security/Security-update-for-VMware-s-ESX-Server--/news/111212

Collapse -
Vulnerabilities in Outpost Security Suite

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

According to reports Outpost Security Suite contains a vulnerability that allows a firewall to be bypassed. It allows locally running processes to make remote connections without the firewall preventing them. This allows viruses to ?call home?. The cause of the problem, according to a report published by SecurityTracker, is a particular sequence of characters in the file name of a running application.

A similar bug also exists in virus scanners that do not scan files containing certain characters in their names. According to the report, Outpost Security Suite Pro 2009 is affected. A patch is not yet available.

http://www.heise-online.co.uk/security/Vulnerabilities-in-Outpost-Security-Suite--/news/111213

Collapse -
Web browsers become tools for criminals

In reply to: VULNERABILITIES \ FIXES - July 30, 2008

According to security expert Jeremiah Grossman, the days for intricate attacks on web servers using special tools are numbered. Instead, he says, criminals can use web browsers as an all-round weapon for making money. According to Grossman, this becomes possible due to widespread business logic flaws in web applications, such as lack of authentication or unprotected access to information. The best example for such a flaw was a vulnerability in the open source osCommerce and xt:commerce shop systems discovered last February which allowed simply skipping the payment step while still generating a valid order by calling a URL.

Grossman says that instead of involved cross-site scripting attacks on users and SQL injection attacks on web server databases, criminals now only need a little bit of background knowledge to obtain money or goods. This is not a new type of vulnerability. A variation of the theme has been practised by hackers for years: Forced browsing, which involves using the browser to call pages or resources which don't actually have any link connections. Google in particular often discloses information not intended for the public by the web server operator

More: http://www.heise-online.co.uk/security/Web-browsers-become-tools-for-criminals--/news/111215

Popular Forums

icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

SMART HOME

This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.